Chapter 37 - Monitoring Events

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

An event is any significant occurrence in the system (or in an application) that requires users to be notified. Some critical events, such as a full disk drive or an interrupted power supply, are noted in an on-screen message. Those events not requiring immediate attention are noted in an event log. Event logging starts automatically each time you start Windows NT Workstation. With an event log and a tool called EventViewer, you can troubleshoot various hardware and software problems and monitor Windows NT Workstation security events. You can also archive logs in various file formats.

Overview

Windows NT Workstation records events in three kinds of logs:

The system log contains events logged by the Windows NT Workstation system components. For example, the failure of a driver or other system component to load during startup is recorded in the system log. The event types logged by system components are predetermined by Windows NT Workstation.

The security log can contain valid and invalid logon attempts as well as events related to resource use, such as creating, opening, or deleting files or other objects. For example, if you use User Manager to enable logon and logoff auditing, attempts to log on to the system are recorded in the security log.

The application log contains events logged by applications. For example, a database program might record a file error in the application log. Application developers decide which events to monitor.

System and application logs can be viewed by all users; security logs are accessible only to system administrators.

Enabling Security Logging

By default, security logging is turned off. To enable security logging, run User Manager to set the Audit policy.

Note The Windows NT Workstation Resource Kit includes Crystal Reports Event Log Viewer, a full-featured report writer that provides an easy way to extract, view, save, and publish information from event logs in a variety of formats. For more information on Crystal Reports Event Log Viewer, see Readme.hlp in the \Crystal\Disk1 folder on the Windows NT Workstation Resource Kit 4.0 compact disc.

Interpreting an Event

Event logs consist of a header, a description of the event (based on the event type), and optionally, additional data. Most security log entries consist of the header and a description.

Event Viewer displays events from each log separately. Each line shows information about one event, including date, time, source, event type, category, Event ID, user account, and computer name.

For more information about Windows NT Workstation events, see the Messages Database Help file on the Windows NT Workstation Resource Kit 4.0 compact disc.

The Event Header

The event header contains the following information.

Information

Meaning

Date

The date the event occurred.

Time

The (local) time the event occurred.

User

The username of the user on whose behalf the event occurred. This name is the client ID if the event was actually caused by a server process, or the primary ID if impersonation is not taking place. Where applicable, a security log entry contains both the primary and impersonation IDs. (Impersonation occurs when Windows NT Workstation allows one process to take on the security attributes of another.)

Computer

The name of the computer where the event occurred. The computer name is usually your own, unless you are viewing an event log on another Windows NT computer.

Event ID

A number identifying the particular event type. The first line of the description usually contains the name of the event type. For example, 6005 is the ID of the event that occurs when the Event log service is started. The first line of the description of such an event is "The Event log service was started." The Event ID and the Source can be used by product support representatives to troubleshoot system problems.

Source

The software that logged the event, which can be either an application name, such as "SQL Server," or a component of the system or of a large application, such as a driver name. For example, "Elnkii" indicates the EtherLink II driver.

Type

A classification of the event severity: Error, Information, or Warning in the system and application logs; Success Audit or Failure Audit in the security log. In Event Viewer's normal list view, these are represented by a symbol.

Category

A classification of the event by the event source. This information is primarily used in the security log. For example, for security audits, this corresponds to one of the event types for which success or failure auditing can be enabled in the User Manager Audit Policy dialog box.

Event Description

The format and contents of the event description vary, depending on the event type. The description is often the most useful piece of information, indicating what happened or the significance of the event.

Event Types

The symbol on the left side of the Event Viewer screen indicates the event type:

Symbol

Event Type

Meaning

Error

Significant problems, such as a loss of data or loss of functions. For example, an Error event might be logged if a service was not loaded during Windows NT Workstation startup.

Warning

Events that are not necessarily significant but that indicate possible future problems. For example, a Warning event might be logged when disk space is low.

Information

Infrequent significant events that describe successful operations of major server services. For example, when a database program loads successfully, it might log an Information event.

Success Audit

Audited security access attempts that were successful. For example, a user's successful attempt to log on to the system might be logged as a Success Audit event.

Failure Audit

Audited security access attempts that failed. For example, if a user tried to access a network drive and failed, the attempt might be logged as a Failure Audit event.

Additional Data

The optional data field, if used, contains binary data, which can be displayed in bytes or words. This information is generated by the application that was the source of the event record. Because the data appears in hexadecimal format, its meaning can be interpreted only by a support technician familiar with the source application.

When viewing an error log on a LAN Manager 2.x server, only the date, time, source, and event ID are shown. When viewing an audit log on a LAN Manager 2.x server, only the date, time, category, user, and computer are shown.

Using Event Viewer

You determine which event log to view by switching between the system, security, and application logs. You can also use Event Viewer to view logs on other computers.

Selecting a Log

Use the Log menu to select a log for event viewing. Although the system log of the local computer appears the first time you start Event Viewer, you can choose to view the security or application log.

Selecting a Computer

When you first start Event Viewer, the events for the local computer appear.

To view events for another computer, click Select Computer on the Log menu. (It can be a computer running Windows NT Workstation or Windows NT Server, or a LAN Manager 2.x server.)

If the computer you select is across a link with slow transmission rates, select Low Speed Connection. If this option is selected, Windows NT Workstation does not list all the computers in the default domain, thereby minimizing network traffic across the link. (If slow transmission rates are commonplace, click Low Speed Connection on the Options menu.)

If you select a LAN Manager 2.x server for viewing, Event Viewer can display its error (system) log and its audit (security) log.

For information on how to select a computer for event viewing, see "Select Computer" in Event Viewer Help.

Refreshing the View

When you first open a log file, Event Viewer displays the current information for that log. This information is not updated automatically. To see the latest events and to remove overwritten entries, choose the Refresh command.

For more information, see "Refresh" in Event Viewer Help.

Changing the Font

You can change the font used in Event Viewer. Changing this font affects only the display of the list of events in the main Event Viewer window.

For more information, see "Changing the Font Selection" in Event Viewer Help.

Viewing Specific Logged Events

After you select a log to view in Event Viewer, you can:

View descriptions and additional details that the event source logs.

Sort events from oldest to newest or from newest to oldest.

Filter events so that only events with specific characteristics are displayed.

Search for events based on specific characteristics or event descriptions.

Viewing Details About Events

For many events, you can view more information than is displayed in Event Viewer by double-clicking the event.

The Event Detail dialog box shows a text description of the selected event and any available binary data for the selected event. This information is generated by the application that was the source of the event record. Because the data appears in hexadecimal format, its meaning can be interpreted only by a support technician familiar with the source application. Not all events generate such data. For more information, see "Viewing Event Details" in Event Viewer Help.

To control the types of security events that are audited, click Audit on the Policies menu in User Manager. To control the auditing of file and folders access, click Auditing on the Security tab in the Windows NT Explorer Properties dialog box.

Sorting Events

By default, Event Viewer lists events by date and time of occurrence from the newest event to the oldest. To change the order from oldest to newest, click Oldest First on the View menu. If the Save Settings On Exit command on the Options menu is checked when you quit, the current sort order is used the next time you start Event Viewer.

When a log is archived, the sort order affects the order in which event records are archived in a text format or comma-delimited text format file; sort order does not affect the order of event records archived in log file format. For more information, see "Using Archived Log Files" later in this chapter.

For information on how to specify the sort order, see "Sorting Events" in Event Viewer Help.

Filtering Events

By default, Event Viewer lists all events recorded in the selected log. To view a subset of events that have specific characteristics, click Filter Events on the View menu. When filtering is on, a check mark appears by the Filter command on the View menu and "(Filtered)" appears on the title bar. If Save Settings On Exit on the Options menu is checked when you quit Event Viewer, the filters remain in effect the next time you start Event Viewer.

Filtering has no effect on the actual contents of the log: It changes only the view. All events are logged continuously, whether the filter is active or not. If you archive a log from a filtered view, all records are saved, even if you select a text format or comma-delimited text format file. For more information on archiving, see "Using Event Viewer with Archived Log Files" later in this chapter.

The following table describes the options available in the Filter dialog box

Use

To filter for

View From

Events after a specific date and time. By default, this is the date of the first event in the log file.

View Through

Events up to and including a specific date and time. By default, this is the date of the last event in the log file.

Information1

Infrequent significant events that describe successful operations of major server services. For example, when a database program loads successfully, it might log an Information event.

Warning1

Events that are not necessarily significant but that indicate possible future problems. For example, a Warning event might be logged when disk space is low.

Error1

Significant problems, such as a loss of data or loss of functions. For example, an Error event might be logged if a service was not loaded during Windows NT Workstation startup.

Success Audit1

Audited security access attempts that were successful. For example, a user's successful attempt to log on to the system might be logged as a Success Audit event.

Failure Audit1

Audited security access attempts that failed. For example, if a user tried to access a network drive and failed, the attempt might be logged as a Failure Audit event.

Source2

A source for logging events, such as an application, a system component, or a driver.

Category3

A classification of events defined by the source. For example, the security event categories are Logon and Logoff, Policy Change, Privilege Use, System Event, Object Access, Detailed Tracking, and Account Management.

User3

A specific user that matches an actual user name. This field is not case sensitive.

Computer3

A specific computer that matches an actual computer name. This field is not case sensitive.

Event ID2

A specific number that corresponds to an actual event.

1 This option is not available for LAN Manager 2.x servers.

2 This option is not available for audit logs on LAN Manager 2.x servers.

3 This option is not available for error logs on LAN Manager 2.x servers.

For information on how to filter for events and turn off filtering of events, see "Filtering Events" in Event Viewer Help.

For information on how to return to the default criteria, see "Reset to Default Settings" in Event Viewer Help.

Searching for Events

To search for events that match a specific type, source, or category, click Find on the View menu. Searches can be useful when you are viewing large logs: For example, you can search for all Warning events related to a specific application, or search for all Error events from all sources.

Your choices in the Find dialog box are in effect throughout the current session. If Save Settings On Exit on the Event Viewer Options menu is checked when you quit, the current filter settings are available the next time you start Event Viewer.

For more information, see "Searching for Events" in Event Viewer Help.

Setting Options for Logging Events

Logging starts automatically when you start the computer. Logging stops when an event log becomes full and cannot overwrite itself either because you've set it for manual clearing or because the first event in the log is not old enough.

Use the Log Settings command on the Log menu to define logging parameters for each kind of log. You can set the maximum size of the log and specify whether the events are overwritten or stored for a certain period of time.

The Event Log Wrapping option lets you define how events are retained in the log selected in the Change Settings For dialog box. (The default logging policy is to overwrite logs as needed, provided events are at least seven days old.) You can customize this policy for different logs.

The options include the following.

Use

To

Overwrite Events As Needed

Have new events continue to be written when the log is full. Each new event replaces the oldest event in the log. This option is a good choice for low-maintenance systems.

Overwrite Events Older Than [ ] days

Retain the log for the number of days you specify before overwriting events. The default is 7 days. This option is the best choice if you want to archive log files weekly. This strategy minimizes the chance of losing important log entries and at the same time keeps log sizes reasonable.

Do Not Overwrite Events

Clear the log manually rather than automatically. Select this option only if you cannot afford to miss an event, for example, for the security log at a site where security is extremely important.

Note When a log is full (when no more events can be logged), you can free the log by clearing it. Reducing the amount of time you keep an event also frees the log if it allows the next record to be overwritten.

For information on how to clear a log, see "Clearing All Events" in Event Viewer Help.

Although you can increase (to the capacity of the disk and memory) or decrease the maximum log size, each log file has an initial maximum size of 512K. Before decreasing a log's size, you must clear the log.

Using Event Logs to Troubleshoot Problems

Careful monitoring of event logs can help you predict and identify the sources of system problems. For example, if log warnings show that a disk driver can only read or write to a sector after several retries, the sector will likely go bad eventually. Logs can also confirm problems with application software: If an application crashes, an application event log can provide a record of activity leading up to the event.

The following are suggestions to help you use event logs to diagnose problems:

Archive logs in log format. The binary data associated with an event is discarded if you archive data in text or comma-delimited format.

If you suspect a hardware component is the origin of system problems, filter the system log to show only those events generated by the component.

If a particular event seems related to system problems, try searching the event log to find other instances of the same event or to judge the frequency of an error.

Note Event IDs. These numbers match a text description in a source message file. This number can be used by product-support representatives to understand what occurred in the system.

Monitoring Windows NT Security Events

You enable auditing from the User Manager Auditing Policy dialog box. Through auditing, you can track Windows NT Workstation security events. You can specify that an audit entry is to be written to the security event log whenever certain actions are performed or files are accessed. The audit entry shows the action performed, the user who performed it, and the date and time of the action. You can audit both successful and failed attempts at actions, so the audit trail can show who actually performed actions on the network and who tried to perform actions that are not permitted.

Events are not audited by default. If you have Administrator permission, you can specify what types of system events are audited through User Manager. The Audit policy determines the amount and type of security logging Windows NT Workstation performs. For file and object access, you can then specify which files and printer to monitor, which types of file and object access to monitor, and for which users or groups. For example, when File and Object Access auditing is enabled, you can use the Security tab in a file or folder's Properties dialog box (accessed through Windows NT Explorer) to specify which files are audited and what type of file access is audited for those files.

Note You can audit file and folder access on only Windows NT File System (NTFS) drives.

Because the security log is limited in size, select the events to be audited carefully, and consider the amount of disk space you are willing to devote to the security log. The maximum size of the security log is defined in Event Viewer.

Note When administering domains, the Audit policy applies to the security log of the primary and backup domain controllers in the domain because they share the same Audit policy. When administering a computer running Windows NT Workstation or a computer running Windows NT Server as a member server, this policy applies only to the security log of that computer.

The following table describes the types of events that can be audited.

Type of event

Description

Logon and Logoff

A user logged on or off or made a network connection.

File and Object Access

A user opened a directory or a file that is set for auditing in File Manager, or a user sent a print job to a printer that is set for auditing in Print Manager.

Use of User Rights

A user used a user right (except those rights related to logon and logoff).

User and Group Management

A user account or group was created, changed, or deleted. A user account was renamed, disabled, or enabled; or a password was set or changed.

Security Policy Changes

A change was made to the User Rights, Audit, or Trust Relationships policies.

Restart, Shutdown, and System

A user restarted or shut down the computer, or an event has occurred that affects system security or the security log.

Process Tracking

These events provided detailed tracking information for things like program activation, some forms of handle duplication, indirect object accesses, and process exit.

Auditing File and Folder Access

You can audit the access of files and folders on NTFS volumes to identify who took various types of actions with the files and folders and hold those users accountable for their actions.

To set auditing on a file or folder, use User Manager to enable auditing of File and Object Access, and then use Windows NT Explorer to specify which files to audit and which type of file access events to audit. To view audit entries, use the Event Viewer.

You can audit successful and failed attempts of the following types of directory and file access:

Types of directory access

Types of file access

Displaying names of files in the directory

Displaying the file's data

Displaying directory attributes

Displaying file attributes

Changing directory attributes

Displaying the file's owner and permissions

Creating subdirectories and files

Changing the file

Going to the directory's subdirectories

Changing file attributes

Displaying the directory's owner and permissions

Running the file

Deleting the directory

Deleting the file

Changing directory permissions

Changing the file's permissions

Changing directory ownership

Changing the file's ownership

To audit the following activities on a directory, select the events shown.

To audit the following activities on a file, select the events shown.

Note To audit files and directories, you must be logged on as a member of the Administrators group.

Auditing Printer Access

Byauditing a printer, you track its usage. For a particular printer, you can specify which groups or users and which actions to audit. You can audit both successful and failed actions.

Important To audit a printer, you must set the audit policy to audit file and object access.

To audit the following activities for a printer, select the events shown in the following table.

Halting the Computer When the Security Log is Full

If you have set the security log either to "Overwrite Events Older than n Days" or "Do Not Overwrite Events (Clear Log Manually)", you can prevent auditable activities while the log is full. No new audit records can be written. To do so, use the Registry Editor to create or assign the following registry key value:

Hive:

HKEY_LOCAL_MACHINE \SYSTEM

Key:

\CurrentControlSet\Control\Lsa

Name:

CrashOnAuditFail

Type:

REG_DWORD

Value:

1

The changes take effect the next time the computer is started. You can update the Emergency Repair Disk to reflect these changes.

If Windows NT Workstation halts as a result of a full security log, the system must be restarted and reconfigured to prevent auditable activities from occurring again while the log is full. After the system is restarted, only administrators can log on until the security log is cleared. For more information on recovering after Windows NT halts, see the "Recovering After Windows NT Halts Because it Cannot Generate an Audit Event Record" in Event Viewer Help.

Using Event Viewer with Archived Log Files

You can archive security logs so that you can monitor security events over a period of time. Or you can archive application logs so that you can track the Warning and Error events that occur for specific applications.

When you archive a log file, the entire log is saved, regardless of any filtering options specified in Event Viewer. If you changed the sort order in Event Viewer, event records are saved exactly as displayed if you archive the log in a text or comma-delimited text file.

Archiving a Log

When you archive an event log, you save it in one of three file formats:

Log file format, which enables you to view the archived log again in Event Viewer.

Text file format, which enables you to use the information in an application, such as a word processor.

Comma-delimited text file format, which enables you to use the information in an application, such as a spreadsheet or a flat-file database.

The binary event data is saved if you archive a log in log file format, but it is discarded if you archive the log in text file format or in comma-delimited text file format. The event description is saved in all archived logs. When you archive a sorted log, the sort order affects the order in which event records are archived in a text file format or comma-delimited text file format. However, sort order does not affect the order of event records in a log archived in log file format. In either case, the sequence of data within each individual event record is record in the following order:

1. Date1

4. Type

7. User

2. Time

5. Category

8. Computer

3. Source

6. Event

9. Description

1 Depends on the sort order specified on the View menu.

Archival has no effect on the current contents of the active log. To clear the original log, you must click Clear All Events on the Log menu. To remove an archived log file, delete the file as you would other kinds of files.

For information on how to archive an event log, see "Archiving Event Logs" in Event Viewer Help.

Viewing a Log Archived in Log File Format

You can view an archived file in Event Viewer only if the log was saved in event log-file format. You cannot click the Refresh or Clear All Events commands to update the display or to clear an archived log.

Note If you do not specify the correct log type (application, security, or system), the Description displayed for the archived log in the Event Detail dialog box will not be correct.

For information on how to display an archived log in Event Viewer, see "Viewing a Log Archived in Log File Format" in Event Viewer Help.

Using Logs Archived in a Text Format

An event log saved in text- or comma-delimited text format can be opened in other applications. These applications can be used to filter, sort, and format the archived event records. You can also combine event records from two or more archived text files to create reports.

For example, you can copy lines of text from an archived log to include as supporting information in an electronic mail message. Or you can archive a security log in comma-delimited format so that you can place the information in a spreadsheet and produce a chart showing the archived information.